Package: dnsmasq Version: 2.66-2 Severity: wishlist OpenDNS's DNSCrypt client for Linux (called 'dnscrypt-proxy')[0] is not yet packaged for Debian but some people are already installing it from source and it is of course possible that it will eventually be packaged. This is a request that the dnsmasq package be enhanced to make it easy to use dnsmasq along with dnscrypt-proxy and resolvconf.
Dnscrypt-proxy doesn't cache. So it makes sense to run dnsmasq with caching turned on and configured to forward queries to dnscrypt-proxy at a loopback address. The request is that this happen automagically when resolvconf is also installed. Getting it to happen automagically on a resolvconfful system just requires tweaking dnsmasq's resolvconf hook script. Currently dnsmasq's resolvconf hook script gathers all nameserver addresses from the resolvconf database, excludes dnsmasq's own listen address and writes the remaining addresses to /var/run/dnsmasq/resolv.conf. When dnscrypt-proxy is running only dnscrypt-proxy's address should be used. Let's decide here and now that the name of dnscrypt-proxy's resolvconf record will be "lo.dnscrypt". (Thus dnscrypt-proxy or its initscript will do something like "echo 127.0.0.2 | resolvconf -a lo.dnscrypt".) Dnsmasq's resolvconf hook script should thus be changed such that if lo.dnscrypt is present, only the address from lo.dnscrypt will be written to /var/run/dnsmasq/resolv.conf. Once there is agreement I will submit a patch. [0]https://github.com/opendns/dnscrypt-proxy